Optimizing Compliance: Comparative Study of Data Laws and Privacy Frameworks
DOI:
https://doi.org/10.5753/jisa.2025.5247Keywords:
Data Privacy, Privacy Requirements, Privacy Challenges, General Data Protection Law, Privacy by Design, ISO/IEC 29100, Privacy FrameworksAbstract
Regarding privacy laws and digital globalization, understanding data regulation compliance and cross-jurisdictional challenges remains limited. To avoid administrative sanctions and protect user data, organizations and developers must bridge these gaps, navigating laws such as the General Data Protection Regulation (GDPR), the American Data Privacy and Protection Act (ADPPA), the General Data Protection Law (LGPD), and the Australian Privacy Act. This study focuses on creating a comprehensive compliance tool by investigating the similarities and nuances of these laws, as well as the challenges developers and organizations face in implementing Privacy by Design principles and ISO/IEC 29100 standards. Through a Systematic Literature Review (SLR) approach, topics of convergence and divergence among privacy laws and frameworks were pinpointed, as well as the challenges of implementing these laws in software. A survey was used to validate the challenges found in the SLR in the Brazilian context, in which most participants demonstrated a lack of knowledge regarding the LGPD. Lastly, we applied Framework Analysis to code and index key legislation points, allowing us to correlate them and develop a compliance-assistance tool. In the several contributions achieved, there is a deeper understanding of the privacy implications in a global context and its practical challenges, and also a practical guidance development, translating legal requirements into actions. Some limitations in this study lie in the interaction between selection and treatment in the survey, as participants' responses will not necessarily serve to generalize the challenges faced by all developers and organizations. In general, the contributions offer valuable theoretical and practical insights in the field of data privacy.
Downloads
References
Alhazmi, A. and Arachchilage, N. A. G. (2021). I'm all ears! Listening to software developers on putting GDPR principles into software development practice. Pers. Ubiquitous Comput., 25(5):879-892. DOI: 10.1007/s00779-021-01544-1.
Aljeraisy, A., Barati, M., Rana, O. F., and Perera, C. (2022a). Exploring the relationships between privacy by design schemes and privacy laws: A comparative analysis. CoRR, abs/2210.03520. DOI: 10.48550/arXiv.2210.03520.
Aljeraisy, A., Barati, M., Rana, O. F., and Perera, C. (2022b). Privacy laws and privacy by design schemes for the internet of things: A developer's perspective. ACM Comput. Surv., 54(5):102:1-102:38. DOI: 10.1145/3450965.
Almeida, D. R. S., Shmarko, K., and Lomas, E. (2022). The ethics of facial recognition technologies, surveillance, and accountability in an age of artificial intelligence: a comparative analysis of us, eu, and UK regulatory frameworks. AI Ethics, 2(3):377-387. DOI: 10.1007/s43681-021-00077-w.
Alomar, N. and Egelman, S. (2022). Developers say the darnedest things: Privacy compliance processes followed by developers of child-directed apps. Proc. Priv. Enhancing Technol., 2022(4):250-273. DOI: 10.56553/popets-2022-0108.
Anwar, M. J., Gill, A., and Beydoun, G. (2018). A review of australian information privacy laws and standards for secure digital ecosystems. In Australasian Conference on Information Systems, ACIS 2018, Sydney, NSW, Australia, 3-5 December 2018, page 36. Available online [link].
Ardabili, B. R., Pazho, A. D., Noghre, G. A., Neff, C., Ravindran, A., and Tabkhi, H. (2022). Understanding ethics, privacy, and regulations in smart video surveillance for public safety. CoRR, abs/2212.12936. DOI: 10.48550/arXiv.2212.12936.
Ayala-Rivera, V. and Pasquale, L. (2018). The grace period has ended: An approach to operationalize GDPR requirements. In 26th IEEE International Requirements Engineering Conference, RE 2018, Banff, AB, Canada, August 20-24, 2018, pages 136-146. IEEE Computer Society. DOI: 10.1109/RE.2018.00023.
Barth, S., Ionita, D., and Hartel, P. H. (2023). Understanding online privacy - A systematic review of privacy visualizations and privacy by design guidelines. ACM Comput. Surv., 55(3):63:1-63:37. DOI: 10.1145/3502288.
Brasil (2018). Lei nº 13.709, de 14 de agosto de 2018. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da República Federativa do Brasil. Available online [link].
Brodin, M. (2019). A framework for gdpr compliance for small-and medium-sized enterprises. European Journal for Security Research, 4:243-264. DOI: 10.1007/s41125-019-00042-z.
Cambraia, D. (2021). Em 2021, Brasil ficou no topo de vazamento de informação no mundo, diz especialista. CNN. Available online [link].
Camêlo, M. N. and Alves, C. (2023). G-priv: Um guia para apoiar a especificação de requisitos de privacidade em conformidade com a LGPD. Braz. J. Inf. Syst., 16(1). DOI: 10.5753/isys.2023.2743.
Canedo, E. D., Calazans, A. T. S., Bandeira, I. N., Costa, P. H. T., and Masson, E. T. S. (2022). Guidelines adopted by agile teams in privacy requirements elicitation after the brazilian general data protection law (LGPD) implementation. Requir. Eng., 27(4):545-567. DOI: 10.1007/s00766-022-00391-7.
Canedo, E. D., Calazans, A. T. S., Cerqueira, A. J., Costa, P. H. T., and Masson, E. T. S. (2021a). Agile teams' perception in privacy requirements elicitation: Lgpd's compliance in brazil. In 29th IEEE International Requirements Engineering Conference, RE 2021, Notre Dame, IN, USA, September 20-24, 2021, pages 58-69. IEEE. DOI: 10.1109/RE51729.2021.00013.
Canedo, E. D., Calazans, A. T. S., Masson, E. T. S., Costa, P. H. T., and Lima, F. (2020). Perceptions of ICT Practitioners Regarding Software Privacy. Entropy, 22(4):429. DOI: 10.3390/e22040429.
Canedo, E. D., Ribeiro, V. C., de Aguiar Alarcão, A. P., Chaves, L. A. C., Reed, J. N., de Mendonça, F. L. L., and de Sousa Júnior, R. T. (2021b). Challenges regarding the compliance with the general data protection law by brazilian organizations: A survey. In Gervasi, O., Murgante, B., Misra, S., Garau, C., Blecic, I., Taniar, D., Apduhan, B. O., Rocha, A. M. A. C., Tarantino, E., and Torre, C. M., editors, Computational Science and Its Applications - ICCSA 2021 - 21st International Conference, Cagliari, Italy, September 13-16, 2021, Proceedings, Part III, volume 12951 of Lecture Notes in Computer Science, pages 438-453. Springer. DOI: 10.1007/978-3-030-86970-0_31.
Carvalho, A. P., Canedo, E. D., Carvalho, F. P., and Carvalho, P. H. P. (2020). Anonymisation and compliance to protection data: Impacts and challenges into big data. In Proceedings of the 22nd International Conference on Enterprise Information Systems, ICEIS 2020, Prague, Czech Republic, May 5-7, 2020, Volume 1, pages 31-41. SCITEPRESS. DOI: 10.5220/0009411100310041.
Cavoukian, A. (2009). Privacy by design. Available online [link].
Chun Tie, Y., Birks, M., and Francis, K. (2019). Grounded theory research: A design framework for novice researchers. SAGE open medicine, 7:2050312118822927. DOI: 10.1177/2050312118822927.
Daoudagh, S. and Marchetti, E. (2022). The GDPR compliance and access control systems: Challenges and research opportunities. In Mori, P., Lenzini, G., and Furnell, S., editors, Proceedings of the 8th International Conference on Information Systems Security and Privacy, ICISSP 2022, Online Streaming, February 9-11, 2022, pages 571-578. SCITEPRESS. DOI: 10.5220/0010912300003120.
Davier, T. S. V., Kollnig, K., Binns, R., Kleek, M. V., and Shadbolt, N. (2023). We are not there yet: The implications of insufficient knowledge management for organisational compliance. CoRR, abs/2305.04061. DOI: 10.48550/arXiv.2305.04061.
Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS quarterly, pages 319-340. DOI: 10.2307/249008.
de Castro, E. T. V., Silva, G. R. S., and Canedo, E. D. (2022). Ensuring privacy in the application of the brazilian general data protection law (LGPD). In SAC '22: The 37th ACM/SIGAPP Symposium on Applied Computing, Virtual Event, April 25 - 29, 2022, pages 1228-1235. ACM. DOI: 10.1145/3477314.3507023.
Doneda, D. (2020). Da privacidade à proteção de dados pessoais: elementos da formação da lei geral de proteção de dados. Revista dos Tribunais. São Paulo: Thomas Reuters Brasil, 2nd edition. Book.
Ekambaranathan, A., Zhao, J., and Chalhoub, G. (2023). Navigating the data avalanche: Towards supporting developers in developing privacy-friendly children's apps. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol., 7(2):53:1-53:24. DOI: 10.1145/3596267.
Ekambaranathan, A., Zhao, J., and Kleek, M. V. (2021). "money makes the world go around": Identifying barriers to better privacy in children's apps from developers' perspectives. In CHI '21: CHI Conference on Human Factors in Computing Systems, Virtual Event / Yokohama, Japan, May 8-13, 2021, pages 46:1-46:15. ACM. DOI: 10.1145/3411764.3445599.
European Parliament, T. and Council, T. (2018). General Data Protection Regulation (GDPR): EU Data Protection Rules. Available online [link].
Felizardo, K. R., Mendes, E., Kalinowski, M., de Souza, É. F., and Vijaykumar, N. L. (2016). Using forward snowballing to update systematic reviews in software engineering. In Proceedings of the 10th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2016, Ciudad Real, Spain, September 8-9, 2016, pages 53:1-53:6. ACM. DOI: 10.1145/2961111.2962630.
Feng, Y., Liu, B., Cui, X., Liu, C., Kang, X., and Su, J. (2018). A systematic method on PDF privacy leakage issues. In 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications / 12th IEEE International Conference On Big Data Science And Engineering, TrustCom/BigDataSE 2018, New York, NY, USA, August 1-3, 2018, pages 1020-1029. IEEE. DOI: 10.1109/TrustCom/BigDataSE.2018.00144.
Ferrão, S. É. R., Carvalho, A. P., Canedo, E. D., Mota, A. P. B., Costa, P. H. T., and Cerqueira, A. J. (2021). Diagnostic of data processing by brazilian organizations - A low compliance issue. Inf., 12(4):168. DOI: 10.3390/info12040168.
Ferrão, S. É. R., Silva, G. R. S., Canedo, E. D., and Mendes, F. F. (2024). Towards a taxonomy of privacy requirements based on the LGPD and ISO/IEC 29100. Inf. Softw. Technol., 168:107396. DOI: 10.1016/j.infsof.2024.107396.
Freitas, M. d. C. and Mira da Silva, M. (2018). Gdpr compliance in smes: There is much to be done. Journal of Information Systems Engineering & Management, 3(4):30. Available online [link].
Goldsmith, L. J. (2021). Using framework analysis in applied qualitative research. Qualitative Report, 26(6). DOI: 10.46743/2160-3715/2021.5011.
Hornuf, L., Mangold, S., and Yang, Y. (2023). Data protection law in germany, the united states, and china. In Data Privacy and Crowdsourcing: A Comparison of Selected Problems in China, Germany and the United States, pages 19-79. Springer. DOI: 10.1007/978-3-031-32064-4_3.
Horstmann, S. A., Domiks, S., Gutfleisch, M., Tran, M., Acar, Y., Moonsamy, V., and Naiakshina, A. (2024). "those things are written by lawyers, and programmers are reading that." mapping the communication gap between software developers and privacy experts. Proc. Priv. Enhancing Technol., 2024(1):151-170. DOI: 10.56553/popets-2024-0010.
ISO Central Secretary (2011). ISO/IEC 29100 : Information technology — security techniques — privacy framework. Standard, International Organization for Standardization, Geneva, CH. Available online [link].
Kaufmann, J., Hilgert, F., and Wohlthat, R. (2022). The proposed american data privacy and protection act in comparison with gdpr. Computer Law Review International, 23(5):146-152. DOI: 10.9785/cri-2022-230505.
Kitchenham, B., Charters, S., et al. (2007). Guidelines for performing systematic literature reviews in software engineering. Available online [link].
Kühtreiber, P., Pak, V., and Reinhardt, D. (2022). A survey on solutions to support developers in privacy-preserving iot development. Pervasive Mob. Comput., 85:101656. DOI: 10.1016/j.pmcj.2022.101656.
Li, Z. S., Werner, C. M., Ernst, N. A., and Damian, D. E. (2020). GDPR compliance in the context of continuous integration. CoRR, abs/2002.06830. DOI: 10.48550/arXiv.2002.06830.
Li, Z. S., Werner, C. M., Ernst, N. A., and Damian, D. E. (2022). Towards privacy compliance: A design science study in a small organization. Inf. Softw. Technol., 146:106868. DOI: 10.1016/j.infsof.2022.106868.
Lorenzon, L. N. (2021). Análise comparada entre regulamentações de dados pessoais no Brasil e na União Europeia (LGPD e GDPR) e seus respectivos instrumentos de enforcement. Centro de Excelência Jean Monnet da FGV Direito Rio. Available online [link].
Machado, P., Vilela, J., Peixoto, M. M., and Silva, C. T. L. L. (2023). A systematic study on the impact of GDPR compliance on organizations. In Proceedings of the XIX Brazilian Symposium on Information Systems, SBSI 2023, Maceió, Brazil, 29 May 2023- 1 June 2023, pages 435-442. ACM. DOI: 10.1145/3592813.3592935.
Matulytė, R. (2022). Comparing data protection regulation models of the eu and the us: which one is more preferred by the society? PhD thesis. Available online [link].
Naqvi, S. K. H. and Batool, K. (2023). A comparative analysis between general data protection regulations and california consumer privacy act. Journal of Computer Science, Information Technology and Telecommunication Engineering, 4(1):326-332. DOI: 10.30596/jcositte.v4i1.13330.
Neves, R. d. A. P. (2021). GDPR e LGPD: Estudo comparativo. Available online [link].
Nurgalieva, L., Frik, A., and Doherty, G. (2023). A narrative review of factors affecting the implementation of privacy and security practices in software development. ACM Comput. Surv., 55(14s). DOI: 10.1145/3589951.
OAIC, A. G. (1988). The Privacy Act. Available online [link].
Park, G. (2019). The changing wind of data privacy law: A comparative study of the european union's general data protection regulation and the 2018 california consumer privacy act. UC Irvine L. Rev., 10:1455. Available at[link].
Peixoto, M. M., Ferreira, D., Cavalcanti, M., Silva, C., Vilela, J., Araújo, J., and Gorschek, T. (2020). On understanding how developers perceive and interpret privacy requirements research preview. In Requirements Engineering: Foundation for Software Quality - 26th International Working Conference, REFSQ 2020, Pisa, Italy, March 24-27, 2020, Proceedings [REFSQ 2020 was postponed], volume 12045 of Lecture Notes in Computer Science, pages 116-123. Springer. DOI: 10.1007/978-3-030-44429-7_8.
Pires, F., Pacheco, O. R., and Martins, R. T. (2021). Why you should care about gdpr in iot enterprises & solutions. In 2021 16th Iberian Conference on Information Systems and Technologies (CISTI), pages 1-9. IEEE. DOI: 10.23919/CISTI52073.2021.9476614.
Pitogo, V. A. and Ching, M. R. D. (2018). Understanding philippine national agency's commitment on data privacy act of 2012: a case study perspective. In Proceedings of the 2nd International Conference on E-commerce, E-Business and E-Government, ICEEG 2018, Hong Kong, SAR, China, June 13-15, 2018, pages 64-68. ACM. DOI: 10.1145/3234781.3234788.
Poritskiy, N., Oliveira, F., and Almeida, F. (2019). The benefits and challenges of general data protection regulation for the information technology sector. Digital Policy, Regulation and Governance, 21(5):510-524. DOI: 10.1108/dprg-05-2019-0039.
Rocha, L. D. and Canedo, E. D. (2024). Supplementary Material for Comparative Analysis of Data Protection Laws and Privacy Frameworks: Optimizing Solutions for Compliance with LGPD and International Data Sharing Laws. Available online [link].
Rocha, L. D., Silva, G. R. S., and Canedo, E. D. (2023). Privacy compliance in software development: A guide to implementing the LGPD principles. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing, SAC 2023, Tallinn, Estonia, March 27-31, 2023, pages 1352-1361. ACM. DOI: .1145/3555776.3577615.
Sangaroonsilp, P., Dam, H. K., Choetkiertikul, M., Ragkhitwetsagul, C., and Ghose, A. (2023). A taxonomy for mining and classifying privacy requirements in issue reports. Inf. Softw. Technol., 157:107162. DOI: 10.1016/j.infsof.2023.107162.
Selim, A. (2021). Systematic review of big data, digital transformation areas and industry 4.0 trends in 2021. International Scientific Journal Vision, 6(2):27-41. Available online [link].
Sirur, S., Nurse, J. R. C., and Webb, H. (2018). Are we there yet?: Understanding the challenges faced in complying with the general data protection regulation (GDPR). In Proceedings of the 2nd International Workshop on Multimedia Privacy and Security, MPS@CCS 2018, Toronto, ON, Canada, October 15, 2018, pages 88-95. ACM. DOI: 10.1145/3267357.3267368.
State of California, D. o. J. (2018). California consumer privacy act. Available online [link].
Tahaei, M., Frik, A., and Vaniea, K. (2021). Privacy champions in software teams: Understanding their motivations, strategies, and challenges. In CHI '21: CHI Conference on Human Factors in Computing Systems, Virtual Event / Yokohama, Japan, May 8-13, 2021, pages 693:1-693:15. ACM. DOI: 10.1145/3411764.3445768.
Teixeira, G. A., da Silva, M. M., and Pereira, R. (2019). The critical success factors of gdpr implementation: a systematic literature review. Digital Policy, Regulation and Governance, 21(4):402-418. DOI: 10.1108/DPRG-01-2019-0007.
U.S. Congress, C. o. E. and Commerce (2022). American Data Privacy and Protection Act (ADPPA). Available online [link].
Voss, W. G. (2021). The ccpa and the gdpr are not the same: why you should understand both. W. Gregory Voss,'The CCPA and the GDPR Are Not the Same: Why You Should Understand Both,'CPI Antitrust Chronicle, 1(1):7-12. Available online [link].
Weber, P. A., Zhang, N., and Wu, H. (2020). A comparative analysis of personal data protection regulations between the EU and china. Electron. Commer. Res., 20(3):565-587. DOI: 10.1007/s10660-020-09422-3.
Wiefling, S., Tolsdorf, J., and Iacono, L. L. (2022). Data protection officers' perspectives on privacy challenges in digital ecosystems. In Katsikas, S. K., Cuppens, F., Kalloniatis, C., Mylopoulos, J., Pallas, F., Pohle, J., Sasse, M. A., Abie, H., Ranise, S., Verderame, L., Cambiaso, E., Vidal, J. M., Monge, M. A. S., Albanese, M., Katt, B., Pirbhulal, S., and Shukla, A., editors, Computer Security. ESORICS 2022 International Workshops - CyberICPS 2022, SECPRE 2022, SPOSE 2022, CPS4CIP 2022, CDT&SECOMANE 2022, EIS 2022, and SecAssure 2022, Copenhagen, Denmark, September 26-30, 2022, Revised Selected Papers, volume 13785 of Lecture Notes in Computer Science, pages 228-247. Springer. DOI: 10.1007/978-3-031-25460-4_13.
Wohlin, C., Runeson, P., Höst, M., Ohlsson, M. C., Regnell, B., and Wesslén, A. (2012). Experimentation in software engineering. Springer Science & Business Media. DOI: 10.1007/978-3-662-69306-3.
Wong, R. Y., Chong, A., and Aspegren, R. C. (2023). Privacy legislation as business risks: How GDPR and CCPA are represented in technology companies' investment risk disclosures. Proc. ACM Hum. Comput. Interact., 7(CSCW1):1-26. DOI: 10.1145/3579515.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Journal of Internet Services and Applications
This work is licensed under a Creative Commons Attribution 4.0 International License.
